Journal of Cryptographic Engineering

, Volume 8, Issue 1, pp 71–84 | Cite as

Arithmetic coding and blinding countermeasures for lattice signatures

Engineering a side-channel resistant post-quantum signature scheme with compact signatures
  • Markku-Juhani O. Saarinen
Regular Paper


We describe new arithmetic coding techniques and side-channel blinding countermeasures for lattice-based cryptography. Using these techniques, we develop a practical, compact, and more quantum-resistant variant of the BLISS Ideal Lattice Signature Scheme. We first show how the BLISS parameters and hash-based random oracle can be modified to be more secure against quantum pre-image attacks while optimizing signature size. Arithmetic Coding offers an information theoretically optimal compression for stationary and memoryless sources, such as the discrete Gaussian distributions often present in lattice-based cryptography. We show that this technique gives better signature sizes than the previously proposed advanced Huffman-based signature compressors. We further demonstrate that arithmetic decoding from an uniform source to target distribution is also an optimal non-uniform sampling method in the sense that a minimal amount of true random bits is required. Performance of this new Binary Arithmetic Coding sampler is comparable to other practical samplers. The same code, tables, or circuitry can be utilized for both tasks, eliminating the need for separate sampling and compression components. We then describe simple randomized blinding techniques that can be applied to anti-cyclic polynomial multiplication to mask timing- and power consumption side-channels in ring arithmetic. We further show that the Gaussian sampling process can also be blinded by a split-and-permute techniques as an effective countermeasure against side-channel attacks.


Lattice signatures Arithmetic coding Side-channel countermeasures Quantum-resistant cryptography BLISS 


  1. 1.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange—a new hope. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 237–343. USENIX Association (2016)Google Scholar
  2. 2.
    Bruinderink, L.G., Hülsing, A., Lange, T., Yarom, Y.: Flush, gauss, and reload—a cache attack on the BLISS lattice-based signature scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016, vol. 9813 of LNCS, pp. 323–345. Springer, Berlin (2016)Google Scholar
  3. 3.
    Buchmann, J., Cabarcas, D., Göpfert, F., Hülsing, A., Weiden, P.: Discrete ziggurat: a time-memory trade-off for sampling from a Gaussian distribution over the integers. In: Lange, T., Lauter, K., Lisonĕk, P. (eds.) SAC 2013, vol. 8282 of LNCS, pp. 402–417. Springer, Berlin. Extended version available as IACR ePrint 2014/510 (2014)Google Scholar
  4. 4.
    Campbell, P., Groves, M., Shepherd, D.: Soliloquy: a cautionary tale. In: ETSI 2nd Quantum-Safe Crypto Workshop in Partnership with the IQC (2014)Google Scholar
  5. 5.
    CESG. Quantum key distribution: a CESG white paper (2016)Google Scholar
  6. 6.
    Chen, L., Jordan, S., Liu, Y.-K., Moody, D., Peralta, R., Perlner, R., Smith-Tone, D.: Report on post-quantum cryptography. NISTIR 8105, April 2016Google Scholar
  7. 7.
    CNSS. Use of public standards for the secure sharing of information among national security systems. Committee on National Security Systems: CNSS Advisory Memorandum, Information Assurance 02-15 (2015)Google Scholar
  8. 8.
    Ducas, L.: Accelerating bliss: the geometry of ternary polynomials. IACR ePrint 2014/874 (2014)Google Scholar
  9. 9.
    Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, pp. 40–56. Springer, Berlin, Extended version available as IACR ePrint 2013/383 (2013)Google Scholar
  10. 10.
    Dwarakanath, N.C., Galbraith, S.D.: Sampling from discrete Gaussians for lattice-based cryptography on a constrained device. Appl. Algebra Eng. Commun. Comput. 25(3), 159–180 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Edrees, H., Cheung, B., Sandora, M., Nummey, D.B., Stefan, D.: Hardware-optimized ziggurat algorithm for high-speed Gaussian random number generators. In: Plaks, T.P. (ed.) ERSA 2009, pp. 254–260. CSREA Press, Las Vegas (2009)Google Scholar
  12. 12.
    FIPS. (FIPS) 186-4, digital signature standard (DSS). Federal Information Processing Standards Publication (2013)Google Scholar
  13. 13.
    FIPS. Secure Hash Standard (SHS). Federal Information Processing Standards Publication 180-4 (2015)Google Scholar
  14. 14.
    FIPS. SHA-3 standard: Permutation-based hash and extendable-output functions. Federal Information Processing Standards Publication 202 (2015)Google Scholar
  15. 15.
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, STOC’96, pp. 212–219. ACM (1996)Google Scholar
  16. 16.
    Grover, L.K.: From Schrödinger’s equation to the quantum search algorithm. Am. J. Phys. 69(7), 769–777 (2001)CrossRefGoogle Scholar
  17. 17.
    Howe, J., Pöppelmann, T., O’Neill, M., O’Sullivan, E., Güneysu, T.: Practical lattice-based digital signature schemes. ACM Trans. Embed. Comput. Syst. 14(3), 41:1–41:24 (2015)CrossRefGoogle Scholar
  18. 18.
    Jonsson, J., Kaliski, B.: Public-key cryptography standards (PKCS) #1: RSA cryptography specifications version 2.1. IETF RFC 3447 (2003)Google Scholar
  19. 19.
    Karney, C.F.F.: Sampling exactly from the normal distribution. Preprint arXiv:1303.6257, Version 2 (2014)
  20. 20.
    Knuth, D.E., Yao, A.C.: Algorithms and complexity: new directions and recent results. In: Traub, J.F. (ed.) The Complexity of Nonuniform Random Number Generation, pp. 357–428. Academic Press, New York (1976)Google Scholar
  21. 21.
    Kocher, P.: Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems. In: Koblitz, N., (ed.) CRYPTO’96, vol. 1109 of LNCS, pp. 104–113. Springer, Berlin (1996)Google Scholar
  22. 22.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO’99, vol. 1666 of LNCS, pp. 388–397. Springer, Berlin (1999)Google Scholar
  23. 23.
    Langdon Jr, G.G.: An introduction to arithmetic coding. IBM J. Res. Dev. 28(2), 135–149 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Liu, Z., Seo, H., Roy, SS., Großschädl, J., Kim, H., Verbauwhede, I.: Efficient ring-LWE encryption on 8-bit AVR processors. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015, vol. 9293 of LNCS, pp. 663–682. Springer, Berlin (2015)Google Scholar
  25. 25.
    Marsaglia, G., Tsang, W.W.: A fast, easily implemented method for sampling from decreasing or symmetric unimodal density functions. SIAM J. Sci. Stat. Comput. 5(2), 349–359 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    Marsaglia, G., Tsang, W.W.: The ziggurat method for generating random variables. J. Stat. Softw. 5(8), 1–7 (2000)CrossRefGoogle Scholar
  27. 27.
    NSA/CSS. Information assurance directorate: commercial national security algorithm suite and quantum computing FAQ (2016)Google Scholar
  28. 28.
    Peikert, C.: An efficient and parallel Gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010, vol. 6223 of LNCS, pp. 80–97. Springer, Berlin (2010)Google Scholar
  29. 29.
    Pennebaker, W.B., Mitchell, J.L., Langdon Jr, G.G., Arps, R.B.: An overview of the basic principles of the Q-coder adaptive binary arithmetic coder. IBM J. Res. Dev. 32(6), 717–726 (1988)CrossRefGoogle Scholar
  30. 30.
    Pöppelmann, T., Ducas, L., Güneysu, T.: Enhanced lattice-based signatures on reconfigurable hardware. In: Batina, L., Robshaw, M. (eds.) CHES 2014, vol. 8731 of LNCS, pp. 353–370. Springer, Berlin. Extended version available as IACR ePrint 2014/254 (2014)Google Scholar
  31. 31.
    Rissanen, J.J.: Generalized kraft inequality and arithmetic coding. IBM J. Res. Dev. 20, 198–203 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  32. 32.
    Roy, S.S., Reparaz, O., Vercauteren, F., Verbauwhede, I.: Compact and side channel secure discrete Gaussian sampling. IACR ePrint 2014/591 (2014)Google Scholar
  33. 33.
    Roy, S.S., Vercauteren, F., Mentens, N., Chen, D.D., Verbauwhede, I.: Compact ring-LWE cryptoprocessor. In: Batina, L., Robshaw, M. (eds.) CHES 2014, vol. 8731 of LNCS, pp. 371–391. Springer, Berlin (2014)Google Scholar
  34. 34.
    Saarinen, M.-J.O.: Gaussian sampling precision in lattice cryptography. IACR ePrint 2015/953 (2015)Google Scholar
  35. 35.
    Said, A.: Introduction to arithmetic coding—theory and practice. In: Sayood, K. (ed.) Lossless Compression Handbook. Academic Press, Chapter also published as HP Technical report HPL-2004-76 (2002)Google Scholar
  36. 36.
    Valiant, G., Valiant, P.: An automatic inequality prover and instance optimal identity testing. In: FOCS 2014, pp. 51–60. IEEE Computer Society, Full version available as (2014)
  37. 37.
    Weiden, P., Hülsing, A., Cabarcas, D., Buchmann, J.: Instantiating treeless signature schemes. IACR ePrint 2013/065 (2013)Google Scholar
  38. 38.
    Witten, I.H., Neal, R.M., Cleary, J.G.: Arithmetic coding for data compression. Commun. ACM 30(6), 520–540 (1987)CrossRefGoogle Scholar
  39. 39.
    Zalka, C.: Grover’s quantum searching algorithm is optimal. Phys. Rev. A 60, 2746–2751 (1999)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2017

Authors and Affiliations

  1. 1.Dark Matter LLCAbu DhabiUnited Arab Emirates

Personalised recommendations